learn

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.80). The skill embeds many explicit, side-effectful instructions (git commits, file edits like appending CLAUDE.md, vendored-package removal, telemetry/config changes, auto-upgrades and artifact syncs) that go beyond the stated "manage project learnings" purpose and even contradict its "HARD GATE: Do NOT implement code changes", so it contains deceptive/out-of-scope directives.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's Artifacts Sync and preamble explicitly run git fetch/merge and call gstack-brain-sync / gbrain (e.g., the "ARTIFACTS_SYNC" and "_BRAIN_SYNC_BIN" sections) and says "If artifacts are listed, read the newest useful one" and offers opening an external URL, so it pulls and reads remote repository/brain content (potentially GitHub/GitLab or public URLs) which the agent then interprets and can change suggested actions.